WordPress Plugin Vulnerabilities

Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.0 - Subscriber+ Denial of Service by account logout

Description

The plugin does not validate authorization in the vcita_logout ajax action, allowing any logged in user (with roles as low as subscriber) to log the site out from the cvita account, causing a denial of service for the appointment scheduling functionality.

Proof of Concept

Affects Plugins

Plugin icon
meeting-scheduler-by-vcita
Fixed in 4.3.0

References

CVE
CVE-2023-2415
URL
https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
d96477b3-e055-4775-8347-d3b963650f50

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-13 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
UPC/EAN/GTIN Code Generator < 2.0.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-04-01
Title
SMS Abandoned Cart Recovery ✦ CartBoss < 4.1.3 - Missing Authorization
Published
2026-05-13
Title
Database Backup for WordPress < 2.5.3 - Missing Authorization to Unauthenticated Database Export
Published
2025-03-31
Title
Vitepos < 3.1.5 - Missing Authorization
Published
2025-10-08
Title
Doppler Forms < 2.6.0 - Subscriber+ Limited Plugin Installation